[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] fixup! Bug 40209: Implement Basic Crypto Safety

ma1 pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

cbb6af14

by Henry Wilkes at 2024-09-12T10:51:21+01:00

fixup! Bug 40209: Implement Basic Crypto Safety

Bug 42702: Read clipboard in parent actor rather than child.

2 changed files:

browser/actors/CryptoSafetyChild.sys.mjs
browser/actors/CryptoSafetyParent.sys.mjs

Changes:

browser/actors/CryptoSafetyChild.sys.mjs

@@ -5,12 +5,14 @@
   * License, v. 2.0. If a copy of the MPL was not distributed with this
   * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 -import { Bech32Decode } from "resource://gre/modules/Bech32Decode.sys.mjs";
+-
  import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";
  const lazy = {};
 +ChromeUtils.defineESModuleGetters(lazy, {
 +  setTimeout: "resource://gre/modules/Timer.sys.mjs",
 +});
++
  XPCOMUtils.defineLazyPreferenceGetter(
    lazy,
    "isCryptoSafetyEnabled",
@@ -18,43 +20,6 @@ XPCOMUtils.defineLazyPreferenceGetter(
    true // Defaults to true.
  );
 -function looksLikeCryptoAddress(s) {
 -  // P2PKH and P2SH addresses
 -  // https://stackoverflow.com/a/24205650
 -  const bitcoinAddr = /^[13][a-km-zA-HJ-NP-Z1-9]{25,39}$/;
 -  if (bitcoinAddr.test(s)) {
 -    return true;
 -  }
+-
 -  // Bech32 addresses
 -  if (Bech32Decode(s) !== null) {
 -    return true;
 -  }
+-
 -  // regular addresses
 -  const etherAddr = /^0x[a-fA-F0-9]{40}$/;
 -  if (etherAddr.test(s)) {
 -    return true;
 -  }
+-
 -  // t-addresses
 -  // https://www.reddit.com/r/zec/comments/8mxj6x/simple_regex_to_validate_a_zcash_tz_address/dzr62p5/
 -  const zcashAddr = /^t1[a-zA-Z0-9]{33}$/;
 -  if (zcashAddr.test(s)) {
 -    return true;
 -  }
+-
 -  // Standard, Integrated, and 256-bit Integrated addresses
 -  // https://monero.stackexchange.com/a/10627
 -  const moneroAddr =
 -    /^4(?:[0-9AB]|[1-9A-HJ-NP-Za-km-z]{12}(?:[1-9A-HJ-NP-Za-km-z]{30})?)[1-9A-HJ-NP-Za-km-z]{93}$/;
 -  if (moneroAddr.test(s)) {
 -    return true;
 -  }
+-
 -  return false;
 -}
+-
  export class CryptoSafetyChild extends JSWindowActorChild {
    handleEvent(event) {
      if (
@@ -70,13 +35,13 @@ export class CryptoSafetyChild extends JSWindowActorChild {
        return;
+     }
 -    this.contentWindow.navigator.clipboard.readText().then(clipText => {
 -      const selection = clipText.replace(/\s+/g, "");
 -      if (!looksLikeCryptoAddress(selection)) {
 -        return;
 -      }
 +    // We send a message to the parent to inspect the clipboard content.
 +    // NOTE: We wait until next cycle to allow the event to propagate and fill
 +    // the clipboard before being read.
 +    // NOTE: Using navigator.clipboard.readText fails with Wayland. See
 +    // tor-browser#42702.
 +    lazy.setTimeout(() => {
        this.sendAsyncMessage("CryptoSafety:CopiedText", {
 -        selection,
          host: this.document.documentURIObject.host,
        });
      });

browser/actors/CryptoSafetyParent.sys.mjs

@@ -11,6 +11,7 @@ const lazy = {};
  ChromeUtils.defineESModuleGetters(lazy, {
    TorDomainIsolator: "resource://gre/modules/TorDomainIsolator.sys.mjs",
 +  Bech32Decode: "resource://gre/modules/Bech32Decode.sys.mjs",
  });
  ChromeUtils.defineLazyGetter(lazy, "CryptoStrings", function () {
@@ -24,6 +25,43 @@ XPCOMUtils.defineLazyPreferenceGetter(
    true // Defaults to true.
  );
 +function looksLikeCryptoAddress(s) {
 +  // P2PKH and P2SH addresses
 +  // https://stackoverflow.com/a/24205650
 +  const bitcoinAddr = /^[13][a-km-zA-HJ-NP-Z1-9]{25,39}$/;
 +  if (bitcoinAddr.test(s)) {
 +    return true;
 +  }
++
 +  // Bech32 addresses
 +  if (lazy.Bech32Decode(s) !== null) {
 +    return true;
 +  }
++
 +  // regular addresses
 +  const etherAddr = /^0x[a-fA-F0-9]{40}$/;
 +  if (etherAddr.test(s)) {
 +    return true;
 +  }
++
 +  // t-addresses
 +  // https://www.reddit.com/r/zec/comments/8mxj6x/simple_regex_to_validate_a_zcash_tz_address/dzr62p5/
 +  const zcashAddr = /^t1[a-zA-Z0-9]{33}$/;
 +  if (zcashAddr.test(s)) {
 +    return true;
 +  }
++
 +  // Standard, Integrated, and 256-bit Integrated addresses
 +  // https://monero.stackexchange.com/a/10627
 +  const moneroAddr =
 +    /^4(?:[0-9AB]|[1-9A-HJ-NP-Za-km-z]{12}(?:[1-9A-HJ-NP-Za-km-z]{30})?)[1-9A-HJ-NP-Za-km-z]{93}$/;
 +  if (moneroAddr.test(s)) {
 +    return true;
 +  }
++
 +  return false;
 +}
++
  export class CryptoSafetyParent extends JSWindowActorParent {
    async receiveMessage(aMessage) {
      if (
@@ -33,7 +71,24 @@ export class CryptoSafetyParent extends JSWindowActorParent {
        return;
+     }
 -    let address = aMessage.data.selection;
 +    // Read the global clipboard. We assume the contents come from the HTTP
 +    // page specified in `aMessage.data.host`.
 +    const trans = Cc["@mozilla.org/widget/transferable;1"].createInstance(
 +      Ci.nsITransferable
 +    );
 +    trans.init(null);
 +    trans.addDataFlavor("text/plain");
 +    Services.clipboard.getData(trans, Ci.nsIClipboard.kGlobalClipboard);
 +    let data = {};
 +    trans.getTransferData("text/plain", data);
 +    data = data?.value.QueryInterface(Ci.nsISupportsString).data;
++
 +    let address = data?.replace(/\s+/g, "");
++
 +    if (!address || !looksLikeCryptoAddress(address)) {
 +      return;
 +    }
++
      if (address.length > 32) {
        address = `${address.substring(0, 32)}…`;
+     }